Closed juvai closed 8 months ago
Hello,
The variables (read from Hashicorp Vault) are not stored.
They are available (during the pipeline execution) for been used by other tasks.
You can have more information here: https://learn.microsoft.com/en-us/azure/devops/pipelines/process/set-variables-scripts?view=azure-devops&tabs=bash
I talking about secrets (credentials) that you are needed to login into Vault. The task of the extension requires a login method, depending on the method you used it requires a username and password, token, etc. So is it the only way to reach the Vault or the Service Connection will arrive in the future?
you can use azure pipeline library variables and store them as secrets. -> https://learn.microsoft.com/en-us/azure/devops/pipelines/process/set-secret-variables?view=azure-devops&tabs=yaml%2Cbash
Example:
Create pipeline library variables called
VAULT_PATH VAULT_PW VAULT_USR VAULT_ADDR
and add the correct values. Mark VAULT_PW as secret and add the Variables to the execution like:
- task: VaultReadKV@4
inputs:
strUrl: '$(VAULT_ADDR)'
ignoreCertificateChecks: false
useProxy: 'none'
strAuthType: 'userpass'
strUsername: '$(VAULT_USR)'
strPassword: '$(VAULT_PW)'
strKVEnginePath: '$(VAULT_PATH)'
strSecretPath: '${{parameters.vaultSecretPath}}'
kvVersion: '${{parameters.vaultVersion}}'
strPrefixType: 'none'
replaceCR: false
... and yes I also prefer to use a service connection. But this is a working work-around.
Hi @juvai,
I've just publish a new release 5.0.0 on the Azure DevOps marketplace.
This version include the ability to manage some credentials with a service connection.
Regards
Hello,
to store secrets in the pipeline are the only way? I don't think that this good approach to storing secrets in the pipeline. Or maybe is it a way to use some type of service connection?